iStat Menus 7.10.4 Local Privilege Escalation via XPC Command Injection (CVE-2025-11921)

Key Information Vulnerability Overview Vulnerability Name: iStat Menus 7.10.4 - Local Privilege Escalation Severity: Critical (9.3) Discoverer: Oscar Uribe (Fluid Attacks) Affected Product: iStat Menus Release Date: Nov 7, 2025 CVE ID: CVE-2025-11921 Description The iStat Menus daemon ( ) exposes an XPC service that accepts commands via the method. This service lacks authentication and authorization checks, allowing any local process to connect and invoke privileged operations. The command is affected by a command injection vulnerability. Vulnerability Details 1. No Authentication: The XPC listener accepts all incoming connections without verifying client code signature, permissions, or bundle identifier. 2. Unvalidated Input: The command extracts user-supplied values from JSON and directly inserts them into command templates. 3. Command Injection: Attackers can execute arbitrary commands by injecting shell metacharacters ( , , , etc.). Affected Commands : Command injection : Fan speed control (risk of physical damage) : Fan reset : Wi-Fi control + packet capture : Process information disclosure : Disk information + network capture : System sensor data : Sensor updates Proof of Concept (PoC) Exploit: Includes complete code example and execution output. Security Policy CVE-2025-11921 is reserved to identify this vulnerability; refer to this ID from now on. System Information Product: iStat Menus Version: 7.10.4 Operating System: macOS References Product Link: https://bjango.com/mac/istatmenus/ Patch Link: https://cdn.istatmenus.app/files/istatmenus7/versions/iStatMenus7.10.6.zip Mitigation Updated versions of iStat are available on the vendor’s website. Timeline Vulnerability Discovery: Oct 16, 2025 Vendor Contacted: Nov 5, 2025 Vendor Response: Nov 5, 2025 Vendor Requested Re-testing: Nov 6, 2025 Vendor Confirmed: Nov 5, 2025

Goal Reached Thanks to every supporter — we hit 100%!

iStat Menus 7.10.4 Local Privilege Escalation via XPC Command Injection (CVE-2025-11921)